Last night at FSCONS I was awarded the Nordic Free Software Award, sharing the price with Daniel Stenberg who incidentally (or perhaps not) I have been collaborating with on some projects. Receiving a price like this is a great motivator and I feel humbled when thinking about the many excellent hackers that were attending the FSCONS that cheered me on. Thank you everyone.

Many years ago, for my master’s thesis, I worked on evaluating using the DNS to store certificates. I eventually ended up fixing several problems in RFC 2538 in a document that became RFC 4398. Using CERT records to store certificates haven’t really taken off, but now I’m happy to see work in this area: Dan Mahoney has blogged about How to publish PGP keys in DNS. Nice work!

Russel’s approach is to look for man pages of functions ending with _r and labeling the non-_r-function as a thread unsafe function. Russel’s and my approach are quite different, so I wanted to compare the results. There is potential for me to add more functions to search for. I still want to preserve my approach of explicitly listing known thread unsafe functions, though.

Running Russel’s command, I get a list of functions that my script catches that Russel’s doesn’t, and vice versa. For reference, the functions that my script catches that Russel’s doesn’t are:

The list contains lgamma, lgammaf, and lgammal which are all excluded by Russel’s command. I don’t understand why — according to the man page, the functions uses a global variable for sign, which doesn’t seem thread safe. So it seems right to include them?

What’s more interesting (for me) is the list of functions that Russel’s script catches that my script currently doesn’t. Here is the list:

I started looking into each function. For erand48 there is a erand48_r function in glibc, and the former does indeed seem to use a global variable. However, as far as I can tell from the POSIX specification, erand48 should be thread safe. So I filed a glibc bug about it. The same concern may hold for jrand48, lcong48, nrand48, seed48, and srand48.

I noticed that initstate, random, setstate, and srandom are defined by latest POSIX, but not mentioned as a thread-unsafe functions. Possibly a bug in the POSIX specification?

I also noticed that I had missed to include tmpnam even though it is mentioned separately in the POSIX link.

The rest of the functions are not documented by POSIX, and presumably thread unsafe (although I didn’t read the man page or source code for each of them).

In the end, I ended up adding several new functions to check for. The latest script is always available from:

I haven’t seen this before, so I thought I’d documment how to generate a server TLS certificate using CACert. This can be useful if you are running a mail or web server and easily (and cost free) want to support TLS for integrity/confidentiality. I just re-installed my secondary mail server, and tested this recipe with Exim4 with Debian. See below for a step-by-step howto.
First make sure you have the GnuTLS command line tools installed:

You can use --dsa if you want to use DSA instead of RSA, and can change the key size using --bits. The default is 2048-bit RSA which should be good enough for most people.

The next step is to generate a Certificate Request. CACert only looks at the Common Name field, so I left the rest empty. If you are using some commercial CA, you may need to enter something in the other fields.

Then login to CACert and click on ‘Server Certificates’ and then ‘New’. It will ask you to paste in the certificate request. Here you paste in the content of the exim.csr file. CACert will ask you to confirm the hostname. After that it will show a certificate in the resulting web page. Put the certificate in a file exim.crt like this:

The GnuTLS trac installation is in a poor shape. To fix that, I looked into alternatives and found Redmine. Redmine appears to do most things that I liked in Trac (wiki, roadmap and issue tracking) plus it supports more than one project (would come in handy for my other projects) and has built-in git support. I would like to see better spam handling and OpenID support, but it is good enough for our purposes now, and there are similar concerns with trac.

However, getting it up and running with lighttpd on a modern debian lenny installation was not trivial, and I needed some help from #redmine (thanks stbuehler). After finally getting it up and running, I made a copy of the machine using rsync and rsnapshot, so I could re-create a working configuration if I get stuck, and then re-installed the virtual machine.

The notes below are the steps required to set up Redmine using Lighttpd and MySQL on a Debian Lenny. I’m posting this to help others searching for the error messages I got, and to help my own memory in case I need to re-install the server sometime.
I assume you have installed Debian Lenny, and have root access to it. You need to install some dependencies:

Starting the lighttpd server at this point results in an error message:

li37-61:~# /etc/init.d/lighttpd restart
Stopping web server: lighttpd.
Starting web server: lighttpd.
li37-61:~#
2008-10-17 04:50:03: (mod_fastcgi.c.1047) the fastcgi-backend /home/redmine/redmine/public/dispatch.fcgi failed to start:
2008-10-17 04:50:03: (mod_fastcgi.c.1051) child exited with status 9 /home/redmine/redmine/public/dispatch.fcgi
2008-10-17 04:50:03: (mod_fastcgi.c.1054) If you’re trying to run PHP as a FastCGI backend, make sure you’re using the FastCGI-enabled version.
You can find out if it is the right one by executing ‘php -v’ and it should display ‘(cgi-fcgi)’ in the output, NOT ‘(cgi)’ NOR ‘(cli)’.
For more information, check http://trac.lighttpd.net/trac/wiki/Docs%3AModFastCGI#preparing-php-as-a-fastcgi-programIf this is PHP on Gentoo, add ‘fastcgi’ to the USE flags.
2008-10-17 04:50:03: (mod_fastcgi.c.1358) [ERROR]: spawning fcgi failed.
2008-10-17 04:50:03: (server.c.908) Configuration of plugins failed. Going down.

FastCGI modules are not installed by default, so you will need to install them:

li37-61:~# apt-get install libfcgi-ruby1.8

Restarting the server again, and accessing dispatch.fcgi using your browser, will result in errors like:

The Free Software & Culture conference FSCONS is held in Gothenburg October 24-26th. Having been there and given talks last year, I can recommend it for anyway interested in what’s going on the free software and culture world.

I’m happy and proud to notice that I have been nominated for their award, for my work on security packages for the GNU project. Too bad I cannot make it to the conference this year.

Using OpenWRT with WPA-PSK 2 on Broadcom WLAN routers have been stuck on a quite old bug. Recently someone suggested that it may have been fixed in trunk, which caused me to test it. And it works!

It took some time to work out the details here. To save myself time to reconstruct the commands, and hopefully save you some time too, I wrote down how to use OpenWRT with two Asus WL-500g Premium linked together wirelessly using WDS and PSK2 encryption.